To stay off the radar when leaking information to the press, whistleblowers often turn to the dark web to mask their identity. But that's no match for a new malicious app that spies on your computer hardware, and can tell when you've visited whistleblower sites through the Tor Browser.
Thankfully, this revelation doesn't come from hackers. Instead, the app was developed by computer scientists at the Worcester Polytechnic Institute (WPI), and they uploaded a paper outlining their work to the arXiv preprint server last week. Their app makes use of a well-known attack in academic circles: if you carefully track and analyze the patterns of use on a computer's processor, you can piece together what the user is actually doing.
Now, the researchers have shown that it can be done with a malicious app running in the background on someone's machine, and a bit of AI.
"You might protect your browsing habits by going into incognito mode or using the Tor Browser—the traffic there is hidden from, say, your IT admin," said Berk Sunar, one of the study's co-authors, over the phone. "What we're showing here is that in that unprotected corporate environment, even using tools like Tor, your browsing history can be leaked in part to a monitoring authority."
The researchers used Linux, which allowed them to access the data they needed (a rooted Windows or Mac system could allow similar access, Sunar said). They first tracked processor usage with the app while browsing different sites in Chrome in incognito mode, and in Tor, the browser that lets you access the dark web. An AI algorithm then parsed all of this data to come up with a baseline to predict which sites a user visited.
After training, the algorithm could look at new hardware use patterns via the app and predict whether a user had visited Netflix or Amazon with surprising accuracy: 86.3 percent for Chrome in Incognito mode.
In Tor, the system was less accurate, but only slightly. Just by looking at hardware use and analyzing it with an algorithm, the researchers could infer which websites were being accessed via Tor with 71 percent accuracy. When it came to whistleblower sites like Wikileaks and GlobalLeaks, the system's accuracy jumped to 84 percent.
The results for Tor were generally worse because the malicious tracking app caught the browser start-up and all the random jitters due to connection delays, creating a noisy dataset. The accuracy was better for whistleblowing sites, Sunar said, simply because it's a much smaller pool of sites to choose from.
So, if you're a whistleblower, how worried should you be about the government, or anyone else, using this tool to find you? "In the short term, I'd say not very worried, because there are so many other vulnerabilities out there that are easier to pull off," Sunar said. (The research was government-funded, via the US National Science Foundation, an agency that funds a wide array of research into science and engineering). And remember, these are researchers working in a tightly controlled experimental environment, trying to prove that they can do something nobody's done before—not spooks or hackers trying to make a buck.
"You could tie it into a simple gaming application"
There's also the fact that the work took place in Linux, which is an extremely unpopular operating system. Taking this mobile, and on a more popular platform like iOS, would take some work. The iPhone's operating system doesn't allow access to the same fine-grain detail Linux allows, but there are other hardware performance indicators that could be folded into the system to work on iOS. "You could tie it into a simple gaming application," Sunar said. "Like Tetris, for example."
The attack also requires the user to download a malicious app, and although scammy apps have made it onto major app stores before, there's no guarantee that this one would. You'd also have to be in the crosshairs for someone really, really determined, in which case you might have bigger problems.
Still, the research is a good reminder that no privacy tool is perfect, and perhaps most importantly, if you let somebody own your computer, well, you're boned. The lesson remains: don't click any phishy links out there, and be careful what apps you put on your machine.
Subscribe to Science Solved It , Motherboard's new show about the greatest mysteries that were solved by science.